Wednesday, September 30, 2015

Criminal perpetrators target sites and services
hosted on many web servers like banks, credit card payment gateways
etc, for the purpose of taking revenge, blackmail or activism. No
doubt we need to be prepared for these attacks and take preventive
measures.

In some of my previous articles, I
mentioned few such attacks. In this article, I will write about some
more major attacks that are most common in recent times and against
which we need to be protected, if we want to run our business
successfully.

I think we all have heard about Denial
of Service attack or DoS. What is it actually?

DoS
is an attack for the purpose of making a target machine or network
resource unavailable for its intended users. This attack mainly
temporarily indefinitely suspend a service of a host connected to
internet. As a result, you may see:

Not necessarily. Sometimes, the attack may even come
from multiple sources having different IP addresses. Using IP address
spoofing, the attackers may even hide their own IP addresses, making
it extremely hard to catch the attacker. This type of attacks from
multiple sources are sometimes called Distribiuted Denial of
Service Attack or DDoS.

There can be various
ways a DoS can be done. Each attack is implemented in a different
way.

Internet Control Message Protocol Flood or ICMP
Flood : Smurf
attacks, Ping
Flood or Ping of Death are this sort of attacks. In this sort of
attacks, the attacker may send ICMP broadcast packets forging the
source address of the victim. As a result, all the computers in the
network send overwhelming number of replies to the victim computer,
consuming its network bandwidth. Sometimes, the attacker even send
enormous number of ICMP ping messages or a malformed ping packet to
the victim computer. As a result, the victim computer ends up
consuming all its banwidth in sending replies, or for a malformed
ping packet, it ends up crashing.

As I discussed earlier, the
preventive measures of this sort of attacks is configuring firewalls
properly to stop responding to ping messages or broadcast
messages.

SYN Flood : In a SYN Flood, the attacker
often forges his IP address and sends an enormous number of
connection request to the victim server. As a result, the victim
server ends up spawning lots of half open connections, sending back a
TCP/SYN-ACK packets and waiting for the response. But as the attacker
has forged his IP address, the sent packets end up going to wrong IP
addresses and the server never gets a reply. But, these half-open
connections saturate the maximum number of open connections the
server can have and the server can no more respond to legitimate
requests.

Other Application Level Flood :
In this sort of attacks, the attacker exploits few conditions like
buffer overflow, and fills up the diskspace of the victim machine or
consume all its memory and CPU cycles. The attacker can even redirect
outgoing message from the victim machine back to the machine itself,
preventing the victim machine from outside network access. This
particular type of attacks are also called 'Banana Attacks'.

Teardrop Attacks : In this
attack, the attacker sends a mangled IP packet, with oversized and
overlapping payloads, to the victim. If the Operating System of the
victim's machine cannot handle it properly, the machine will end up
crashing.

Peer-to-Peer Attacks : In this attack,
the attacker gets control over the clients of a peer-to-peer file
sharing hub, instructs the clients to disconnect from their
peer-to-peer network and connect to the victim's website instead. This
results in hundreds of thousands of connection request to the victim
machine. As a result, the victim machine ends up exhausting all its
computational resources, resulting in a DoS attack.

HTTP Post DDoS Attack : In this
attack, the attacker sends a legitimate HTTP Post header to the
victim machine, but then keeps sending the actual message body at an
extremely slow rate. The entire message is correct, so the victim
machine keeps waiting for the entire message to arrive, slowing down
the whole system. The main problem with this sort of attacks is, it
is very difficult to differentiate the attacking connection from a
legitimate one and it manages to bypasses the security mechanisms
easily.

Slow Read Attack : A Slow Read Attack sends
a legitimate application layer request to the victim machine, but it
reads the responses from the machine very slowly. The attacker
advertises a very small number for the TCP Receive Window size and
empties the victim machine's receive buffer slowly.

Reflected
Attack : It is a DDoS attack, where the attacker forges the IP
address of the victim machine and sends lots of request message to
large number of other computers. All the machines start responding to
the requests received, but all the responses reach to the victim
machine, eating up all its bandwidth.

SSL Flood : When a server
provides a secure connection to a client, normally it involves a
large amount of processing cycles from the server's side. This type
of attacks exploits that scenario. The attacker requests lots of
secure connection to the server, and the server loses its processing
cycles to respond to the illegitimate connections, not being able to
respond to the legitimate ones.

Fraggle Attack :
This type of attack is similar to Smurf
Attack, but instead of ICMP traffic, the attacker sends large
number of forged UDP traffic to the victim machine.

LAND Attack : It is a Local
Area Network Denial attack. In this attack, the attacker sends a TCP
SYN packet to initiate a TCP connection with the victim machine. But
the attacker uses the victim machine's IP address as both source and
destination address. As a result, the victim machine ends up replying
to itself continuously, consuming all its processing power.

DNS Amplification Attack : In
this attack, the attacker sends lots of DNS query to a DNS server,
but forges the IP address of the victim machine as source IP. As a
result, the DNS server ends up sending all the responses to the
victim machine. As DNS responses are much larger in size, the responses end up flooding the victim machine with responses and consuming its
bandwidth.

TCP Null Attack : In this attack the
attacker sends lots of IP packets to the victim machine with the IPv4
headers filled with NULL. The firewalls configured for TCP, UDP and
ICMP packets may allow these packets. As a result, the enormous amout
of these packets flood the victim machine, consuming its
bandwidth.

If I continue, perhaps the list will be never
ending, and that will only flood the article with information. I
wanted to keep it short and so, mentioned only the most common
attacks.

Knowing about the possible attacks is the very first
step towards protection against it. So, if you think this article has
helped you anywhere there or you want to add valuable information to
this article, please feel free to share your
feedback/comments/opinions.

Now, the question is, if we are in
guests and want the provision of setting firewalls from host, will it
be possible?

We can give a try for a setup where both guests
and host are Linux systems.

The basic idea is, if we run a
server script in host and a client script in guest, so that, from
host we will send a command to guest and guest will execute the
command and return host its output, then we can make use of that to
set firewalls in guest from host.

Of course, we would also
need to run a shell script in guest, which will make our life of
input and output redirection easier.

Does it look
confusing?

Let me explain the code in details then.

Let's
assume, we have a shell script running in guest:

#!/bin/bash

while :

do

./client HOSTIP > inputfile

ret=`echo $?`

if [ $ret -eq 0 ]

then

var=`cat inputfile`

echo "command to
execute: $var"

`echo $var`

`echo $var` &>
outputfile

./client 192.168.1.116
outputfile

var=`cat outputfile`

echo "Output file
contained $var"

`rm outputfile`

else

echo "Could not
connect"

`rm inputfile`

exit

fi

`rm inputfile`

done

This script will execute a code
'client' which will connect with the server. The server will send a
command to client using sockets. The client will simply print the
sent command in stdout. The shell script then redirect the content of
stdout in a variable and execute it. The shell script will also
redirect the stderr and stdout of the executed command to a file. And
finally, the shell script will again invoke the client program, but
this time with one more argument – the name of the file which
contains the output. The client program, now, will open the file and
send each line to the server. And the only job left to server is,
print the output.

This server code simply
accepts the connection from the guest, takes the input command from
the user and sends it to the guest. And when the guest connects
again, it receives the output from the guest and prints it.

The client code, as I said before, will
make a connection with the host and wait for input commands. When it
gets the input command it will print it to stdout, so that the
command can be executed by the shell script. The shell script again
invokes this program with three arguments, the third being the name
of the file which contains the output of the command. The client then
simply takes the output text from the file and sends it to the
server.

Last but not the least, the client
shell script needs to be executed using 'sudo' otherwise there will
be permission problem.

So, this was basically a simple
concept, to execute firewalls related commands remotely, or rather to
execute any command remotely. Hope you enjoyed the basic idea, and if
you have any feedback or comments, please feel free to share.

So, we already learnt about,
how
to know the ip address of host from guest and the ip address of guest
from host. The next thing interesting to us is, how to know from
the host when any of the guest machines is down. You might say, this
is simple, we can always write a small shell script and ping the
guest machines after certain time intervals. If we do not get any
response of ping, that would mean that particular guest machine is
down.

But, we already have discussed about
few attacks like, ping
flood and as a remedy we said, it is better to disable ping in
servers. In fact, it is always a good practice to disable ping
message in servers. And if we do that, the said method is unlikely to
work.

So, what is the alternative method?

Socket
programming! Yes, we can run the server script from the host and
client scripts from the guests. Each guest will make connection with
the host and send message after certain time interval. If the message
stops arriving or the connection closes, we will know the guest is
down.

Monday, September 28, 2015

There are only couple of ways to
communicate between guest and host. And if we want a hypervisor
independent way of communication, using socket is the most feasible
option. But to do that, the minimum thing we need is knowing the ip
address of guests and host.

After a bit research, I found out
an easy way of doing that. We can use utilities like arp-scan and
arp, and that will make our life a lot easier. I will explain the
details in a short while.

Before that, we need to install
arp-scan in both guest and host.

# sudo apt-get install
arp-scan

My host as well as guest is Ubuntu system. So, I will
be using simple shell scripts to solve the purpose.

Write this
shell script in Host:

#!/bin/bash

GUEST1="vm1-virtual-machine.local"

GUEST2="vm2-virtual-machine.local"

echo -e "Which
VM?\n1.$GUEST1\n$GUEST2\n[1/2] \c"

read answer

if [ $answer -eq 1 ]

then

GUEST=$GUEST1

else

GUEST=$GUEST2

fi

echo "You want ip for $GUEST"

ip=`arp -a | grep $GUEST | awk '{print
$2}'`

arr1=$(echo $ip | tr "("
"\n")

arr2=$(echo $arr1 | tr ")"
"\n")

ip=$arr2

echo "Guest IP is:$ip”

Here,
I am using arp -a in the host machine. If the arp table is populated
properly, 'arp -a' will give hostname and ip of machines in local
network. Irrespective of whether the guest VMs are having independent
ip address (e.g. through bridge network), it will list the guest VMs
and their ip addresses. We can filter out the ip address of the guest
from its hostname. Yes, you need to know the hostname of the guests
in advance.

Here, I am doing an 'arp-scan' to find
out all the ip addresses and MAC addresses in the local network. Now,
filter out the host with its MAC address. Yes, you need to know the
MAC address of the host in advance.

The advantage of a
simple shell script like this is, you can run it in host and guests
and run socket programming thereafter. This will automate the process
of communication. And if you are using sockets, it gives an
opportunity to share myriads of information.

So, this was a
very simple shell script. I am quite a novice in shell scripts, but
what I can say is, this works.

So, you can always borrow this
idea and write your own shell scripts. And when you do that, please
share your feedback. Good day!

Friday, September 25, 2015

Cloud computing is one of the most emerging
technologies. There are following different types of Cloud.

Types of Cloud

As per Services Offered :

IaaS or Infrastructure as a Service : If the cloud offers the service of
infrastructure like storage disks or virtual servers, it is called
Infrastructure as a Service or IaaS. Examples include
Rackspace, Flexiscale.

PaaS or Platform as a Service : If the cloud offers a development
platform and it includes an Operating System and a programming
language execution environment, database and web server, it is called
Platform as a Service or PaaS. Examples include Google
App Engine, Salesforce.

SaaS or Software as a Service :If the cloud offers access to
software applications on per user basis, it is called Software as
a Service or SaaS. Examples include GMail, Google
Docs.

As per Deployment Models :

On the other hand, as per deployment models there
are mainly four types of clouds.

Private Cloud : Private clouds
operate solely for a single organization. They can be managed
internally or by a third party, hosted internally or externally.

Public Cloud : In a Public Cloud, services are rendered over a network that
is open to public.

Community Cloud :Community Cloud shares
infrastructure among several organizations from a specific community
with similar concerns like security, compliance, jurisdiction etc.
They can be managed internally or by third party, hosted internally
or externally.

Hybrid Cloud : Hybrid cloud is a composition of two
or more clouds, like private, public or community. It offers the
benefits of multiple deployment models.

Security Concerns of Cloud

What are the
security concerns that the cloud service providers and the clients
need to take care of ?

If we look closely, we can see quite a number
of security concerns, which we need to take care of while
implementing or using the service of clouds.

Let's discuss a few
of them.

The first security issue that we can think of is data
breaches. In a multi-tenant cloud service, if the cloud service
database is not designed properly, a single flaw in a single client's
application can give an attacker access to data of one or multiple
client. Encrypting data can be a solution, but if you lose encryption
key, you lose data. Again, keeping offline backups of data increase
the possibility of data breaches.

Secondly, we can think of
the issue of data loss that the cloud service providers need to take
care of. Data must be preserved from disasters like fire, flood or an
earthquake.

The next issue we can think of is account
hijacking. If an attacker somehow hacks the account of the cloud
service provider, he can eavesdrop all the transactions and
manipulate data and redirect the clients to illegitimate sites and
prepare for more attacks.

Fourthly, the threat of insecure
interfaces and APIs. Cloud service providers provide APIs and
interfaces for usage, management, orchestration and monitoring of
cloud services. Weak interfaces and APIs can expose the threats of
issues related to data confidentiality, integrity, availability and
accountability.

The next threat is Denial of Service attack.
Cloud service providers bill their client's based on computing cycles
and disk space consumed. An attacker, even if he may not be able to
stop the services completely, he may consume much process cycles to
affect the services to a significant extent.

The cloud service
providers also have to keep safe from malicious insiders. They have
to monitor properly all its employees, contractors or business
partners who access the cloud, network, services and data. A
malicious insider or irresponsible access to data can lead to serious
threats.

The seventh issue is the abuse of clouds. A malicious
user should not use the processing power of clouds for the purpose of
breaking encryption keys or hack a system. A cloud service provider
needs to take care of the abuse of their clouds.

A cloud
service providers provide resources like CPUs, GPUs and caches to
multiple clients. A cloud must be designed to offer strong isolation
properties. If an integral component gets compromised, it exposes the
entire environment to a potential of compromise and breach.

So,
if you are a cloud service provider or a user, it is better to keep
these concerns in mind and design it properly.

In this
article, I will explain how to install an Intrusion Detection System
in your system.
I am using a Linux system here. The advantage of
Linux is, it is open source and it gives lots of opportunities for
experiments.

An Intrusion Detection System inspects all
inbound and outbound traffic in your system and detects suspected
attacks. In this article, I will show how to install Snort Intrusion
Detection System in your Linux machine.

So, let's start.

1.
Install LAMP Server :

LAMP suite is
Linux-Apache-Mysql-PHP. We would need to install this for our Snort
IDS. To do that, first install tasksel and then lamp server.

#
sudo apt-get install tasksel# sudo tasksel install
lamp-server
You will be prompted for mysql root
password during the installation process. Give a password and
remember it. You will again need it later.

Tuesday, September 22, 2015

In one of my last articles, I discussed about ARP
Spoofing. It is an attack in which an attacker send falsified ARP messages over a local area network and link the victim's IP address with his MAC address. As a result, all the traffic that is meant for the victim, will reach the attacker first. The attacker can afterwards steal sensitive information or prepare for more attacks.

In this article I am going to describe how to detect if
your system has got an ARP Spoofing attack.

Preparing with tools

Firstly, you would need a few software to install in your system. For Linux, you would need
tcpdump, wireshark and arp-scan.

tcpdump is used to analyze network
packets in a Linux system. You can install the utility using:

#
sudo apt-get install tcpdump

You would need arp-scan to find out
all the IP addresses and corresponding MAC address in your local network. You
can install it using :

# sudo apt-get install arp-scan

Wireshark is another tool for
analyzing IP packets. The advantage of this tool is, it is GUI based.
You can install it using:

# sudo apt-get install wireshark

Detecting ARP Spoofing Attack

Let's first do the analysis of network packets of the system using wireshark.

Type the following command in the command prompt to open wireshark :

# sudo
wireshark

A wireshark window will appear.

Select proper interface for
your system. In my system it is eth1. It may be different for your system.

On clicking on start, a window
will appear where you will see source IP address, destination IP
address of each packet along with few other information.

Select any
tcp or udp packet. You will see a window like the one already shown above.

Here, I have selected a packet,
whose source IP is 74.125.200.189 and destination is my IP.

Now,
click on Ethernet II field below.

If you see carefully, source
IP 74,125.200.189 is mapped with MAC address 00.1f.3a.bc.7b.58.

So, you can see, the packet that I had selected, has
actually come from MAC address 00,1f.3a.bc.7b.58, which mapped to IP
192.168.1.133 and not from IP address 74.125.200.189. And, IP address 192.168.1.133 is an IP address in the local network.

This
means, someone has sent falsified ARP message to link your IP with
his MAC address, which is an ARP Spoofing attack.

You can
confirm the same with tcpdump also.

Open terminal and type:

#
sudo tcpdump -vXXn -e -i eth1 dst 192.168.1.116

This means, you
want to analyze packets to your IP address 192.168.1.116.

Monday, September 21, 2015

ARP Spoofing is an
attack in which an attacker can send falsified ARP messages over a
local area network and link the victim's IP address with his MAC
address. As a result, all the traffic that is meant for the victim,
will reach the attacker first. The attacker can afterwards steal
sensitive information or prepare for more attacks.

The attacker
queries and finds out the ip addresses and corresponding MAC
addresses of users connected to the target subnet. There
are lots of ARP Spoofing tools like Arpspoof, Cain & Abel,
Arpoison and Ettercap that are commonly used for ARP Spoofing.

The attacker finds the victim's IP address, and then links his MAC
address with the victim's IP address and sends out ARP messages
across the LAN.

- The other hosts in the LAN cache the
falsified ARP message. As a result, traffic meant for the victim,
reaches the attacker instead.

Implications of ARP Spoofing Attacks

There
can be many serious implications. Like:

If the attacker
links multiple IP address to the victim's MAC address, packets meant
for several IP addresses will reach the victim alone, which can lead
to Denial of Service attack.

The attacker can steal the
victim's session Id and access private data.

The attacker
can intercept and modify the traffic of the victim, which can lead to
Man In The Middle attack.

Prevention

We can some steps to prevent ARP Spoofing Attacks.

Use packet
filters and do not allow packets with conflicting source information.
For an example, do not allow packets that come from outside the
network but contains source IP of inside the network.

Organizations can avoid trust relationships. Do not allow any machine
of any IP address to access internal data of the organization without
authentications.

There are couple of software available for
detection of ARP Spoofing. You can use those.

Try to use
cryptographic network protocols like HTTPS, SSH, TLS etc. Secure
communications prevent ARP Spoofing by encrypting data prior to
transmission and authenticate it when it arrives.

So, do
not give an attacker any chance, take some simple steps and stay
protected!